Re: Certificates Trust List

• Previous message: Beverly Treadwell: "Unknown Domain user - domain authentication appears limited"
• In reply to: David Cross [MS]: "Re: Certificates Trust List"
• Next in thread: Andrey Kreitor: "Re: Certificates Trust List"
• Reply: Andrey Kreitor: "Re: Certificates Trust List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 11 Nov 2004 21:15:32 -0800

OK, little weird since it's common practice for offline root to not
have crls....

David, are there any workarounds? to renew root certificate with a
valid crl?

Its even more strange - this work ok with XP, 2003, 2000 sp3. It
doesn't work with 2000 since sp4. I even can check web sites
certificates accessed from stations under win2k sp4.

This may doesn't work with Outlook only. Even if i disable crl
checking in outlook through "UseCRLChasing" I still get these
warnings...

Andrey

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message news:<e9o5ba$xEHA.2568@TK2MSFTNGP11.phx.gbl>...
> does the root CA cert have a CDP extension in it?
>
> this error implies that a cert in the chain specifies a CRL in a CDP
> location that cannot be retrieved.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> http://support.microsoft.com
>
> "Andrey Kreitor" <kreit@mail.ru> wrote in message
> news:670d9223.0411110446.4a33ce0d@posting.google.com...
> > David,
> > I managed to run capimon - sdbinst.exe was missing on my machine...
> > I get this error according to Capimon:
> >
> > ----
> > Return Value: Failure (0)
> > Last Error: The revocation function was unable to check revocation for
> > the certificate. (0x80092012)
> >
> > CertDllVerifyRevocation Parameters:
> > Encoding Type: 0x00000001
> > X509_ASN_ENCODING (0x00000001)
> >
> > Revocation Type: 0x00000001
> > CERT_CONTEXT_REVOCATION_TYPE (0x00000001)
> >
> > Flags: 0x00000002
> > CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION (0x00000002)
> >
> > -----
> >
> > It seems it checks for crl for the offline root ca I trust.... but it
> > doesn't have crls at all... What can i do?
> >
> > Andrey.
> >
> >
> >
> >
> > kreit@mail.ru (Andrey Kreitor) wrote in message
> > news:<670d9223.0411102307.3bacdedb@posting.google.com>...
> >> The exact path is "c:\Program Files\Microsoft Office\Office\outlook.exe"
> >> I just played with paths like this "c:\outlook.exe" to make it(path)
> >> simpler :)
> >>
> >> What id did:
> >> 1. installed
> >> 2. tried to run this command:
> >> Capimon.exe -setup -appname: Application_Path
> >>
> >>
> >> Andrey.
> >>
> >>
> >>
> >> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> >> news:<#V0AEfyxEHA.3336@TK2MSFTNGP11.phx.gbl>...
> >> > are you sure that is the right path to outlook.exe ?
> >> >
> >> > for example on my machine it is: "c:\program files\Microsoft
> >> > Office\Office
> >> > 11\outlook.exe"
> >> >
> >> > --
> >> >
> >> >
> >> > David B. Cross [MS]
> >> >
> >> > --
> >> > This posting is provided "AS IS" with no warranties, and confers no
> >> > rights.
> >> >
> >> > http://support.microsoft.com
> >> >
> >> > "Andrey Kreitor" <kreit@mail.ru> wrote in message
> >> > news:670d9223.0411100150.793e6429@posting.google.com...
> >> > > tried this with\without quotation marks:
> >> > > c:\Program Files\Microsoft CAPIMON 1.0>Capimon.exe -setup
> >> > > -appname:"c:\Program Files\Microsoft Office\Office\outlook.exe"
> >> > > or
> >> > > c:\Program Files\Microsoft CAPIMON 1.0>Capimon.exe -setup
> >> > > -appname:c:\outlook.exe
> >> > >
> >> > > all i get:
> >> > > "Error: The system cannot find the file specified."
> >> > >
> >> > >
> >> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> >> > > news:<OY7$SrAxEHA.2568@TK2MSFTNGP10.phx.gbl>...
> >> > >> Hard to tell what the problem might be, but you might be able to use
> >> > >> CAPIMON
> >> > >> with your application to troubleshoot.
> >> > >>
> >> > >>
> >> > >>
> >> > >> CAPIMON:
> >> > >> http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> >> > >>
> >> > >>
> >> > >>
> >> > >> --
> >> > >>
> >> > >>
> >> > >> David B. Cross [MS]
> >> > >>
> >> > >> --
> >> > >> This posting is provided "AS IS" with no warranties, and confers no
> >> > >> rights.
> >> > >>
> >> > >> http://support.microsoft.com
> >> > >>
> >> > >> "Andrey Kreitor" <kreit@mail.ru> wrote in message
> >> > >> news:670d9223.0411050650.725a9706@posting.google.com...
> >> > >> > All domain controllers under win2k. Schema upgraded to 2003.
> >> > >> > Enterprise CA under windows 2003 and offline root ca under
> >> > >> > win2003.
> >> > >> >
> >> > >> > Here it is the problem with ctl to another organization root cert.
> >> > >> > Certificate chain check shows "Generic trust failure."... when
> >> > >> > using
> >> > >> > Outlook.
> >> > >> >
> >> > >> > Of course i checked that i can see the ctl in users personal
> >> > >> > certificate store.
> >> > >> > This problem occurs only with clients under win2k. I have no
> >> > >> > problems
> >> > >> > under server 2003 or XP clients.
> >> > >> >
> >> > >> > What may cause this?
> >> > >> > Thanks in advance!
> >> > >> >
> >> > >> > p.s. Certificate template v2(Microsoft Trust List Signing
> >> > >> > Application
> >> > >> > policy) signed the ctl

• Previous message: Beverly Treadwell: "Unknown Domain user - domain authentication appears limited"
• In reply to: David Cross [MS]: "Re: Certificates Trust List"
• Next in thread: Andrey Kreitor: "Re: Certificates Trust List"
• Reply: Andrey Kreitor: "Re: Certificates Trust List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]